In a data conversion process such as an encryption process, a hash function executing a hashing process on input data is frequently used. The hash function is a function for computing a fixed-length compressed value (a digest) from a supplied message. Known hash functions include MD5 with a 128-bit output value, SHA-1 with a 160-bit output value, SHA-256 with a 256-bit output value and the like.
For example, based on a request to increase analysis resistance, the hash function needs the following resistances.
Preimage resistance
2nd preimage resistance
Collision resistance
These resistances will be briefly described below.
In a hash function generating y=h(x) as an output where an input is x and the hash function is h, the preimage resistance corresponds to difficulty of computing the input x such that h(x)=y for the output y.
The 2nd preimage resistance corresponds to difficulty of finding another input value x′ satisfying h(x′)=h(x) in the case where one input value x is known.
The collision resistance corresponds to difficulty of finding two different input values x and x′ satisfying h(x′)=h(x).
It is considered that the higher these resistances are, the higher security properties the hash function has.
In previously used hash functions, vulnerability of the above-described resistances is discovered by recent developments in analysis methods. For example, it has become clear that in MD5, SHA-1 or the like which has been frequently used as a hash function, the collision resistance does not satisfy a large number of system request levels. Moreover, as an existing hash function, SHA-256 with a relatively long output length is included; however, concerns about security properties remain, because SHA-256 follows the design principle of SHA-1, and a hash function with higher security properties based on other design principle is thereby desired.